Now that we have emerged from the COVID pandemic, the frequency of medical record audits has increased. Government and commercial carrier audits are prevalent. At the same time, multiple changes in medical coding guidelines and regulations are occurring. With all the challenges facing physicians and their practice staff, it is not surprising that very little time remains to become familiar with the new requirements, exposing your practice to risk of revenue loss from carrier audits.
This article will explore the audit process, identify at-risk audit areas and discuss best practices to help ensure that the revenue that providers are earning is the revenue they will keep.
Claims Adjudication & Typical Audit Processes
Providers’ claims are generally processed in good faith. That is, there is usually no requirement to submit documentation along with the claim, which is essentially a request for reimbursement for services. Reimbursement for these services will be subject to front-end edits that the payor has embedded into its software; these include contractual allowances, codes that are considered inclusive of each other and diagnoses that support medical necessity. At this point, there is no review of the medical record unless the carrier has guidelines in place for specific services.
An audit usually begins when providers get a letter requesting supporting documentation for some of their billed claims. This is because, in practice, the documentation frequently does not support the codes billed. Therefore, carriers have turned to periodic random medical record audits to ensure that their payments correspond to the services rendered, not just the billed codes.
A single review might not result in any future actions, but once a payor has performed multiple reviews and determines that a provider’s documentation repeatedly does not substantiate the codes on the claim form, his or her future claims from both this payor and other payors may be proactively tracked. That carrier then has the right to either retract the payment made or withhold the amount from future claim payments. If future audits also identify problematic documentation, and patterns of noncompliance are detected, the carrier may allege fraud, or the intent to bill inappropriately. The provider then faces possible extrapolation of similar claims going back many years, in excess of statutory or contractual time limits, and the organization may stand to lose a hefty portion of its earned revenue.
Alternatively, the payor might initiate a prepayment review of future claims, meaning that all claims must be accompanied by documentation of the encounter that is reviewed prior to payment. This costs the practice in both staff processing and reimbursement turnaround time. Beyond that, the audits cause stress on providers and their staff. There is also the possibility of criminal charges being filed.
Every year, Centers for Medicare & Medicaid Services (CMS) report on their estimated improper payment rate. Since payments are made based only on front-end edits, some of these payments may have been improper. Via Comprehensive Error Rate Testing (CERT) and post-payment audits, CMS identifies an estimate of claims that should not have been paid because they failed to meet statutory, regulatory or administrative requirements. It is important to note that these improper payment rates don’t necessarily indicate any measure of fraud or even expenses that should not have occurred—just that the claim should not have been paid. The Office of Management and Budget states that when an agency’s review is unable to discern whether a payment was proper as a result of insufficient or missing documentation, then that payment should be considered improper.1 These “improper payments” may be overpayments or underpayments.
“In 2022, it is estimated that $31.5 billion, or about 7.5 percent, of Medicare fee-for-service payments were improper.”
Figure 1 shows common causes of improper payments from Medicare. In 2022, it is estimated that $31.5 billion, or about 7.5 percent, of Medicare fee-for-service payments were improper. The top reason for these payments, at nearly 64 percent, is insufficient documentation. This occurs when the medical records submitted do not support the services rendered, so reviewers could not conclude that the billed services were actually provided, or were provided at the level billed. Next in value, we see medical necessity (13.8 percent), incorrect coding submissions (10.5 percent) and no documentation (3.8 percent), in which the practice could not provide documentation for that date of service or at times even for the patient.Figure 2 identifies top root causes of improper payments for Medicare Part B established office visits. Incorrect coding, with a high percentage of evaluation and management (E&M) services, leads the list. Over-coding of E&M services, in which a lower level of code was supported by documentation, and is also a compliance risk, was noted 61 percent of the time. In 9 percent of claims, the documentation supported a higher level of E&M service, representing a revenue opportunity. An E&M service billed on the same day as a minor procedure represented an additional 3 percent of improper payments, and this area is highly targeted by payers. Next in line, insufficient or no documentation to support the codes billed represented 25 percent of improper established office E&M payments. These include inadequate documentation to support that the services were actually provided, at 6 percent. Many of the remaining concerns likely resulted from insufficient revenue cycle processes, such as an inadequate or no billed date of service in the medical record (9 percent), no signature or an illegible signature (3 percent), or no attestation for unsigned documentation (2 percent). Two percent of improper payments were made when there were no medical records at all to support the encounter, and at times when the beneficiary wasn’t even a patient of the practice.
Compliance Basics: Principles of Medical Record Documentation
Certain basic principles of medical record documentation are considered best practices that providers need to know to ensure that their documentation is compliant and contains all required elements. These practices are followed by CMS, government payors, commercial carriers and most claims auditors. The principles are rather simple, but failure to ensure that the documentation meets these guidelines are some of the top reasons that providers lose revenue in audits.
Guidelines for medical record documentation require that the services rendered to a patient and the medical necessity for these services are documented by the rendering provider in the medical record. The CMS guidelines2 list certain requirements of medical record documentation that are too often overlooked. A few examples of documentation that should be supported in each patient encounter include the following:
- The date and reason for the encounter
- The reasons for and results of x-rays, lab tests and other ancillary services
- Support for the intensity of the patient evaluation and/or the treatment, including the thought processes and the complexity of medical decision making
- Dated and authenticated entries to the medical record
- Procedure and diagnosis codes reported on the health insurance claim form or billing statement that reflect the documentation on the medical record
“Regardless of how codes are assigned within the practice, it is ultimately the provider of services who is responsible for ensuring that the submitted claim accurately reflects the services provided and that the medical record documentation supports the level of service billed to a payor.”
Another key factor in ensuring correct documentation is understanding who is responsible for the accuracy of the medical record documentation and the codes billed. Regardless of how codes are assigned within the practice, it is ultimately the provider of services who is responsible for ensuring that the submitted claim accurately reflects the services provided and that the medical record documentation supports the level of service billed to a payor. When a provider authenticates a signature, even in electronic format, this attests to the accuracy of each claim.
Assess Risk Areas
Every provider should assess the top risk areas in their practice that are frequently subjected to audits. In order to understand your practice’s risk areas, first identify frequently performed services by running a billing productivity report to address high-volume services. Ensure that your providers and staff understand any new guidelines, as well as local, national and commercial carrier requirements in order to ensure that the medical record supports these requirements.
Top Risk Areas
The top risk areas, based on a composite of CMS’ improper payments, the Office of Inspector General (OIG) Workplan and areas targeted by carrier audits, are listed in Figure 3. The two areas that are most frequently identified, due to recent changes in Current Procedural Terminology (CPT®) descriptors and guidelines, as well as changes in government and payor policy, are 1) evaluation and management (E&M) services and 2) telehealth services.
Evaluation & Management
A massive overhaul to CPT® code descriptors and guidelines for office and outpatient services E&Ms went into effect January 1, 2021. In January 2023, the guidelines for all locations of E&M services were also overhauled. A major goal of these changes is to better align medical record documentation and coding, intending to simplify the administrative burden on providers and practices.
Figure 4 offers an overview of the changes to the E&M code sets. The top row shows the timeline. This is important because when auditing documentation, the applicable guidelines for that date of service are used. The office guidelines changed in 2021 and were subsequently updated through 2023; guidelines for hospitals and other places of service initially changed in 2023. The right column highlights important aspects of these changes. Be aware of the context in the new CPT® guidelines, the definitions of key terms and new code descriptors.
The next row in Figure 4, “Guidelines,” shows how E&M was previously coded using history, exam and medical decision making (MDM). Currently, either MDM or time is necessary to code E&M levels. Only a medically appropriate history and exam are required. Under past guidelines, a substantially different table of risk was used, in part, for medical decision-making levels. Currently, a totally revised MDM table is used and conveniently placed in the CPT® manual. All providers should review the new MDM table and understand the definitions of these terms as listed in CPT®, in order to accurately assign code levels. It is also important to realize that the code levels previously supported by documentation may differ now. The same documentation may reflect a different level code, dependent on which set of guidelines are applied. For example, what was previously supported as a level four may now be either a level three or a level five.
The third row in Figure 4 updates the concept of time. Previously, time could be used for documentation only when it was face-to-face time with the patient, but now, total time spent caring for the patient on that date of service applies. Also, in the past, time was utilized only when more than half was spent on counseling or coordination of care. Now, there is a much more encompassing time definition, which includes specific clinician time on the date of the service. It is important to note that the new prolonged service codes differ for CMS and other commercial carriers; CPT® contains a specific list of what constitutes appropriate time.
The fourth row in Figure 4 shows some E&M codes that have been eliminated. For example, 99201 was eliminated because the level of MDM was the same as 99202. In addition, the concept of inpatient hospital and observation services have been refined and the categories have merged.
Due to the considerable changes in E&M coding, which typically constitutes a high percentage of provider services in all locations, it is worthwhile for providers to take the time to become educated on the new CPT® code descriptors and guidelines—with the support of certified professional coders. These specialists can interpret the new codes and apply your individual documentation style to current guidelines. The goal is not to change the way you provide service to your patients, but rather to integrate your clinical documentation to support the code requirements, without impacting patient care.
When CMS implemented and later extended some leniencies in providing telehealth—such as the ability to render services in more locations than previously allowed—the use of telehealth increased substantially. Beginning with the public health emergency (PHE), waivers were created that allowed for some services to be temporarily rendered via telehealth. Use of these codes (including telephone-based E&M’s 99441 through 99443) has been extended, and through the Consolidated Appropriations Act3 passed in December 2022, certain key telehealth flexibilities will stay in place, at least for Medicare and Medicaid services, through December 31, 2024.
Commercial carriers do not have to follow CMS guidelines, so be sure to check with your individual carriers for appropriate guidance, including areas such as modifiers and audio-only telehealth services. It is advisable to set up a matrix to support quick reference for billing compliance, listing all requirements by time frame and carrier.
Some 2023 CPT® revisions apply to telehealth. Included in the 2023 CPT® manual is a new Appendix T with CPT® codes that may be used for synchronous, real-time, interactive, audio-only telemedicine services and new modifiers, including Modifier 93, reflecting services provided via telephone or other real-time, interactive, audio-only communication.
All requirements for the billed codes must be supported in documentation. There are no waivers of requirements due to being a telehealth encounter. Documentation compliance should include the method of telehealth delivery, audio or audiovisual; what platform was used, such as Teladoc, Doxy.me or telephone; and locations of the provider and the patient. Of key importance, providers must document that the member consents to receive services via telehealth. Additionally, document any other clinical participants and, if required by the CPT® descriptor, the time spent performing services.
Based on guidelines created by the Department of Health and Human Services,4 the following steps will help you to mitigate your risk of revenue loss due to carrier audits, to bill appropriately for services rendered and to implement appropriate practices to continue retaining the revenue earned. As a result of these reviews, your practice should see increased accuracy in documentation, which will also help ensure that the revenue you are earning is the revenue you will keep (see Figure 5).
- Identify your practice’s risk areas: In order to address risk areas, first identify the frequently performed at-risk services in your practice. A billing productivity report will identify high volume procedures.
- Understand documentation and carrier criteria: Know the documentation requirements for the procedure or service and the diagnosis. Be very familiar with local and national coverage determinations and the commercial payor medical policies, and know the descriptors and guidelines for the CPT® and ICD-10 codes. Also, be aware of supporting sources such as CPT® Assistant and CPT® errata, which provide additional clarification to code descriptors and appropriate usage.
- Review medical record documentation: Review the medical record documentation and compare the written record to the documentation requirements identified.
- Identify areas of deficiency: Note and track any deficiencies in the medical record in order to both improve clinical documentation as well as objectively identify to carriers the progress made.
- Educate providers and staff: Provide education to providers and staff, at the appropriate level for each group. Both group and individual training have value when working with providers in order to support the providers’ documentation style while incorporating necessary concepts to ensure compliance.
- Create written compliance guidelines for future reference: Create compliant guidelines for future reference, both for current providers and future hires. This will allow for a quick reference source, as well as document the practice’s compliant intentions.
The OIG recommends that physician practices perform periodic audits on providers’ documentation as part of a compliance plan.4 Refer to OIG Compliance Program for Individual and Small Group Physician Practices and review the Steps for Implementing a Voluntary Compliance Program. Note that this program can be a multi-tiered process, with initial development focused on practice risk areas that are problematic such as coding and billing. The OIG advises reviewing claims denials as well as the aforementioned overpayments.
A well-designed compliance program can facilitate reimbursement, reduce billing errors and contribute to insulating the practice from allegations of improper intent should an audit be conducted by government or commercial payers.
In today’s healthcare environment, regulatory requirements can seem overwhelming. In order to allow providers to appropriately focus on patient care, it is imperative to capture all billable revenue and retain the revenue earned. By billing and coding compliantly, we can ensure that hard-earned revenue supports the providers—who care for and support the patients.